The previous post is part right, part wrong. It's part right because it's true that the php script will run on the remote server, if it's capable of interpreting php scripts. You can see this by creating this script on a remote machine:<?phpecho system("hostname");?>Then include that in a php file on your local machine. When you view it in a browser, you'll see the hostname of the remote machine.

However, that does not mean there are no security worries here. Just try replacing the previous script with this one:<?phpecho "<?php system(\"hostname\"); ?>";?>I'm guessing you can figure out what that's gonna do.